Another PnP worm on the loose...

CNN reported a worm outbreak this afternoon involving their network, ABCNews, NYTimes, as well as Capitol Hill.

Information is still flowing on this situation, but here's what we have so far:

Symantec just released info on the W32.Zotob.E worm
.

Trend Micro also released information under WORM_RBOT.CBQ.

McAfee released information as well:

This is an IRC bot worm, and will scan for TCP port 445, and for file shares. McAfee reports in it's bulletin that systems not patched for MS05-039 will continually reboot.

It exploits known vulnerabilities, and the patch is available from microsoft here:


More updates coming as we analyze and gather more information!

A few words from the Microsoft Security Response Center

Mike from the MSRC sent an e-mail with "clarification regarding changing the default setting of NULL sessions and what the impact of changing these settings does to the threat profile of the PnP vulnerability addressed in MS05-039"



The information has been published in the updated yesterday.



Take note of the section on mitigating factors.



Mike also mentioned that the McD's Bomber Message Malware mentioned in is exploiting the vulnerability that is patched with

Reader Mailbag

Kerry Tyler, a self described "Windows Server Wrench" offered the following:



I just wanted to drop a note of thanks for this weekend's coverage of the MS05-039 fun. I came back to the office from lunch on Friday to a blinky green globe in my System Tray--perfect timing to remind me that we still have a couple of stragling Windows 2000 Servers around that needed patched RIGHT THEN, no waiting until our usual Sunday morning patching with the 2K3 boxes. Disaster mostly averted, only held up by crappy Change Management procedures. (had one machine get hit, but mosly a failed exploit attempt, as they did cause the machine to restart)



Many thanks on a job well done, and glad to see some yellow--keeps us on our toes! ;-)



I think Josh summed it up best in his reply ..



I can't speak for the other handlers, but I believe the consensus
opinion would be that it's messages like this one that motivates us to
do what we do. Thank you for your note, and I'm glad you were able to
avert disaster. :)

Back to InfoCon Green

As Johannes mentioned yesterday, we are back to green. As his addition to the diary is still relevant, it bears repeating.



As of Tuesday, 1:45 AM GMT (Monday 20:45 EDT), we moved back to infocon green.



We moved to 'Yellow' on Friday, after we did see a number of exploits released for last weeks Microsoft Windows vulnerabilities, in particular MS05-039 (PnP) which is exploitable remotely.



As expected, we did see various bots, in particular 'Zotob' take advantage of this vulnerability. At this point, the situation is however static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point.



The last week showed once more that there is no more patch window. Defense in depth is your only chance to survive the early release of malware. In this particular case, three distinct best practices can mitigate the vulnerability:
- close port 445 at least at the perimeter.

- patch systems quickly.

- eliminate NULL sessions.
Neither one of these measures is perfect, and some may not be applicable to your network (e.g. you may require NULL sessions in some circumstances).



Another development brought to conclusion in this event is the lesser importance of 'worms' with respect to more sophisticated 'bots'. We received a number of bots using the PnP vulnerability. Antivirus scanners did not identify most of them. In many cases, the same bot was packed differently or some function where added to evade detection.



Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground. The only way we can keep up with this development is by sharing information as efficiently. Being able to do so openly will make it only easier to do this sharing. Please join our effort, and share future observations with us. We will continue to turn them over quickly and make them available via out diaries for everybody to read and to learn from.



I would like to thank in particular handlers Lorna and Tom for their extensive analysis of all the malware submitted.



Yes, the Internet is still "broken", but it was never working all that well to begin with. The Infocon is intended to measure change. We can't stay on yellow for ever.



Johannes Ullrich.

Apple Patches

With all the attention on MS05-039 Apple released a few yesterday for 10.3.9 and 10.4.2 client and server.



Affected components vary by software version but include:


Client:


AppKit

BlueTooth

CoreFoundation

cups

Directory Services

HIToolBox

Kerberos

loginwindow

Mail

OpenSSL

QuartzComposerScreenSaver

Security Interface

Safari

X11

zlib


Server:


apache2

AppKit

blojsom

BlueTooth

CoreFoundation

cups

Directory Services

HIToolBox

Kerberos

loginwindow

Mail

OpenSSL

QuartzComposerScreenSaver

Security Interface

servermgrd

servermgr_ipfilter

SquirrelMail

Safari

X11

zlib





isc dot chris at gmail dot com

Handler on Duty